Re: [Catalyst] Duplicate session ids

Sat, 26 May 2007 15:09:25 -0700 

Bill Moseley wrote:

On Sat, May 26, 2007 at 04:08:48PM -0400, Perrin Harkins wrote:

On 5/26/07, Bill Moseley <[EMAIL PROTECTED]> wrote:

Perhaps an easier way to show the problem with duplicate created
sessions would help.

Do you mean duplicate or multiple?  The session ID generation code in
Catalyst::Plugin::Session does look like it could generate duplicates
to me, but that would be rare and unpredictable.


Ya, sorry.  Multiple.  It's generating one session id, storing values
under that ID, then creating a new session id and then sending that as
the cookie.  So when the browser returns that cookie none of the
session data is there.


I think I see what's happening.

First, it's the same behavior with Session::Store::File.

In Catalyst->handle_request, there's this (debugging added):

  my $c = $class->prepare(@arguments);
  $c->dispatch;
  $c->log->debug("SID Before: " . $c->_sessionid);
  $status = $c->finalize;
  $c->log->debug("SID After: " . $c->_sessionid);

You'll see that the session id changes after the call
to finalize.

  [debug] SID Before: dedcc0cbe98a54a4cb91513d7fc57ac5cabf20ac
  [debug] SID After: a069c84ee4004a21e50faa91f77d3278819c5704

The problem is that the finalize() process calls the
Catalyst::Plugin::Session->finalize_session before finalize_cookies()
is called.

And finalize_session() calls $c->_clear_session_instance_data after
saving.

So by the time your finalize_cookies() is called, the session has
been saved and cleared. When you call $c->session in finalize_cookies(),
it's unaware that the session ever existed, so a new one is created.

I don't know what the proper fix is. I'm still trying to understand
the whole process flow. Maybe $c->session should raise an exception
if it's already been saved. And then should the session try to finalize
later (dunno if that's even possible).

Maurice





_______________________________________________
List: Catalyst@lists.rawmode.org
Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.rawmode.org/
Dev site: http://dev.catalyst.perl.org/






















					Reply via email to